Re: [PATCH nft] configure: Remove AC_HEADER_STDBOOL, AC_C_ and AC_TYPE_ macros

On Fri, Jan 19, 2018 at 08:30:17AM +0530, Varsha Rao wrote: > The following macros check if particular C types in specific header file > exists, these header files defines them and are already included in the > source code. So, remove them. > > AC_HEADER_STDBOOL - stdbool.h > AC_TYPE_INT and

Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time

On Fri, 19 Jan 2018, Pablo Neira Ayuso wrote: > Several reasons for this: > > * Several modules maintain internal version numbers, that they print at > boot/module load time, that are not exposed to userspace, as a > primitive mechanism to make revision number control from the earlier >

[nft PATCH] doc/nft.xml: mention nftables earlier

Mention nftables earlier in the documentation, so users have more context on what we are talking about. This is Debian bug #887718, which contains: <<< Currently one must read down 100 lines before it is even mentioned. You might want to make the connection between "nft" and "nftables" as early

Re: [nft PATCH] doc/nft.xml: mention nftables earlier

On Fri, Jan 19, 2018 at 01:17:47PM +0100, Arturo Borrero Gonzalez wrote: > Mention nftables earlier in the documentation, so users have more context on > what > we are talking about. > > This is Debian bug #887718, which contains: > > <<< > Currently one must read down 100 lines before it is

Re: [PATCH V5 0/5] netfilter: nf_nat_snmp_basic: use ASN.1 decoder

On Mon, Jan 08, 2018 at 12:09:17AM +0900, Taehee Yoo wrote: > The goal of this patch set are to use the ASN.1 decoder library > to parse SNMP ASN.1 payload. Thanks, I'm going to apply to nf-next. I've been postponing this to schedule time to test this intensively, but I've been failing to find

Re: [PATCH] netfilter: nf_tables: Fix trailing semicolon

On Tue, Jan 16, 2018 at 02:51:01PM +, Luis de Bethencourt wrote: > The trailing semicolon is an empty statement that does no operation. > Removing it since it doesn't do anything. Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message

Re: [PATCH v2] netfilter: delete /proc THIS_MODULE references

On Tue, Jan 16, 2018 at 12:45:32AM +0300, Alexey Dobriyan wrote: > /proc has been ignoring struct file_operations::owner field for 10 years. > Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba > ("Fix rmmod/read/write races in /proc entries"). Notice the chunk where >

Re: [nft PATCH] Eliminate forgotten traces of libnftables exporting

On Tue, Jan 16, 2018 at 05:19:57PM +0100, Phil Sutter wrote: > This removes libnftables pkg-config file along with the few lines of > code to adjust and install it. Applied, thanks Phil. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to

[PATCH nf-next] netfilter: remove messages print and boot/module load time

Several reasons for this: * Several modules maintain internal version numbers, that they print at boot/module load time, that are not exposed to userspace, as a primitive mechanism to make revision number control from the earlier days of Netfilter. * IPset shows the protocol version at

Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time

Pablo Neira Ayuso wrote: > Several reasons for this: > > * Several modules maintain internal version numbers, that they print at > boot/module load time, that are not exposed to userspace, as a > primitive mechanism to make revision number control from the earlier >

Re: [Iptables PATCH] extensions: Add test for cluster nft translation

On Tue, Jan 16, 2018 at 09:50:13PM +0530, Shyam Saini wrote: > This patch adds test cases for iptables to nft translation of cluster match > This adds all test cases including corner cases. > > Run these test cases like: > > $ ./xlate-test.py extensions/libxt_cluster.txlate Applied,

Re: [PATCH] netfilter: return booleans instead of integers

On Thu, Jan 18, 2018 at 05:25:12PM -0600, Gustavo A. R. Silva wrote: > Return statements in functions returning bool should use > true/false instead of 1/0. > > These issues were detected with the help of Coccinelle. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe

[PATCH nf-next] netfilter: nf_tables: set flowtable priority and hooknum field

Otherwise netlink dump sends uninitialized fields to userspace. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

[PATCH nf-next] netfilter: nf_tables: allocate flowtable handle and delete flowtable via handle

This patch add code to allocate unique object handles and delete objects via those unique object handles. Signed-off-by: Pablo Neira Ayuso --- @Harsha: Only this one missing, I quickly made it here. include/net/netfilter/nf_tables.h| 2 ++

Re: [PATCH nf-next] netfilter: remove messages print and boot/module load time

On 19 January 2018 at 13:47, Pablo Neira Ayuso wrote: > Several reasons for this: > > * Several modules maintain internal version numbers, that they print at > boot/module load time, that are not exposed to userspace, as a > primitive mechanism to make revision number

[PATCH 11/32] netfilter: remove duplicated include

From: Wei Yongjun Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso --- net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 - net/netfilter/nf_queue.c| 2 -- 2 files changed, 3 deletions(-) diff --git

[PATCH 32/32] netfilter: remove messages print and boot/module load time

Several reasons for this: * Several modules maintain internal version numbers, that they print at boot/module load time, that are not exposed to userspace, as a primitive mechanism to make revision number control from the earlier days of Netfilter. * IPset shows the protocol version at

[PATCH 13/32] netfilter: add IPv6 segment routing header 'srh' match

From: Ahmed Abdelsalam It allows matching packets based on Segment Routing Header (SRH) information. The implementation considers revision 7 of the SRH draft. https://tools.ietf.org/html/draft-ietf-6man-segment-routing-header-07 Currently supported match options include:

[PATCH 15/32] netfilter: clusterip: make sure arp hooks are available

From: Florian Westphal The clusterip target needs to register an arp mangling hook, so make sure NF_ARP hooks are available. Fixes: 2a95183a5e ("netfilter: don't allocate space for arp/bridge hooks unless needed") Reported-by: kernel test robot

[PATCH 14/32] netfilter: improve flow table Kconfig dependencies

From: Arnd Bergmann The newly added NF_FLOW_TABLE options cause some build failures in randconfig kernels: - when CONFIG_NF_CONNTRACK is disabled, or is a loadable module but NF_FLOW_TABLE is built-in: In file included from net/netfilter/nf_flow_table.c:8:0:

[PATCH 12/32] netfilter: core: return EBUSY in case NAT hook is already in use

EEXIST is used for an object that already exists, with the same name/handle. However, there no same object there, instead there is a object that is using the single slot that is available for NAT hooks since patch f92b40a8b264 ("netfilter: core: only allow one nat hook per hook point"). Let's

[PATCH 07/32] netfilter: nf_tables: get rid of struct nft_af_info abstraction

Remove the infrastructure to register/unregister nft_af_info structure, this structure stores no useful information anymore. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 23 +-- net/bridge/netfilter/nf_tables_bridge.c | 25 +--

[PATCH 09/32] netfilter: nf_tables: fix a typo in nf_tables_getflowtable()

From: Wei Yongjun Fix a typo, we should check 'flowtable' instead of 'table'. Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso ---

[PATCH 22/32] netfilter: nf_nat_snmp_basic: remove useless comment

From: Taehee Yoo Remove comments that do not let us know important information. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nf_nat_snmp_basic.c | 30 -- 1 file

[PATCH 04/32] netfilter: nf_tables: remove struct nft_af_info parameter in nf_tables_chain_type_lookup()

Pass family number instead, this comes in preparation for the removal of struct nft_af_info. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 16 +++- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/net/netfilter/nf_tables_api.c

[PATCH 08/32] netfilter: x_tables: unbreak module auto loading

From: Florian Westphal a typo causes module auto load support to never be compiled in. Fixes: 03d13b6868a2 ("netfilter: xtables: add and use xt_request_find_table_lock") Reported-by: Pablo Neira Ayuso Signed-off-by: Florian Westphal

[PATCH 05/32] netfilter: nf_tables: add single table list for all families

Place all existing user defined tables in struct net *, instead of having one list per family. This saves us from one level of indentation in netlink dump functions. Place pointer to struct nft_af_info in struct nft_table temporarily, as we still need this to put back reference module reference

[PATCH 02/32] netfilter: nf_tables: remove flag field from struct nft_af_info

Replace it by a direct check for the netdev protocol family. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h | 6 -- net/netfilter/nf_tables_api.c | 2 +- net/netfilter/nf_tables_netdev.c | 1 - 3 files changed, 1 insertion(+), 8 deletions(-)

[PATCH 03/32] netfilter: nf_tables: no need for struct nft_af_info to enable/disable table

nf_tables_table_enable() and nf_tables_table_disable() take a pointer to struct nft_af_info that is never used, remove it. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 21 ++--- 1 file changed, 6 insertions(+), 15 deletions(-) diff

[PATCH 01/32] netfilter: nf_tables: remove nhooks field from struct nft_af_info

We already validate the hook through bitmask, so this check is superfluous. When removing this, this patch is also fixing a bug in the new flowtable codebase, since ctx->afi points to the table family instead of the netdev family which is where the flowtable is really hooked in. Signed-off-by:

[PATCH 23/32] netfilter: nf_nat_snmp_basic: remove debug parameter

From: Taehee Yoo To see debug message of nf_nat_snmp_basic, we should set debug value when we insert this module. but it is inconvenient and only using of the dynamic debugging is enough to debug. This patch just removes debug code. then in the next patch, debugging code

[PATCH 26/32] netfilter: nf_nat_snmp_basic: use asn1 decoder library

From: Taehee Yoo The basic SNMP ALG parse snmp ASN.1 payload however, since 2012 linux kernel provide ASN.1 decoder library. If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove about 1000 line of ASN.1 parsing routine. To use asn1_decoder.c, we should write mib

[PATCH 31/32] netfilter: nf_tables: set flowtable priority and hooknum field

Otherwise netlink dump sends uninitialized fields to userspace. Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index

[PATCH 30/32] netfilter: delete /proc THIS_MODULE references

From: Alexey Dobriyan /proc has been ignoring struct file_operations::owner field for 10 years. Specifically, it started with commit 786d7e1612f0b0adb6046f19b906609e4fe8b1ba ("Fix rmmod/read/write races in /proc entries"). Notice the chunk where inode->i_fop is initialized

[PATCH 19/32] netfilter: ipv6: nf_defrag: Pass on packets to stack per RFC2460

From: Subash Abhinov Kasiviswanathan ipv6_defrag pulls network headers before fragment header. In case of an error, the netfilter layer is currently dropping these packets. This results in failure of some IPv6 standards tests which passed on older kernels due to the

[PATCH 06/32] netfilter: nf_tables: get rid of pernet families

Now that we have a single table list for each netns, we can get rid of one pointer per family and the global afinfo list, thus, shrinking struct netns for nftables that now becomes 64 bytes smaller. And call __nft_release_afinfo() from __net_exit path accordingly to release netnamespace objects

[PATCH 10/32] netfilter: core: make local function __nf_unregister_net_hook static

From: Wei Yongjun Fixes the following sparse warning: net/netfilter/core.c:380:6: warning: symbol '__nf_unregister_net_hook' was not declared. Should it be static? Signed-off-by: Wei Yongjun Signed-off-by: Pablo Neira Ayuso

[PATCH 27/32] netfilter: nf_tables: allocate handle and delete objects via handle

From: Harsha Sharma This patch allows deletion of objects via unique handle which can be listed via '-a' option. Signed-off-by: Harsha Sharma Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_tables.h

[PATCH 16/32] netfilter: nf_defrag: Skip defrag if NOTRACK is set

From: Subash Abhinov Kasiviswanathan conntrack defrag is needed only if some module like CONNTRACK or NAT explicitly requests it. For plain forwarding scenarios, defrag is not needed and can be skipped if NOTRACK is set in a rule. Since conntrack defrag is currently

[PATCH 25/32] netfilter: nf_nat_snmp_basic: use nf_ct_helper_log

From: Taehee Yoo Use nf_ct_helper_log to write log message. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/nf_nat_snmp_basic.c | 11 ++- 1 file changed, 6 insertions(+), 5 deletions(-)

[PATCH 17/32] netfilter: nf_tables: flow_offload depends on flow_table

From: Arnd Bergmann Without CONFIG_NF_FLOW_TABLE, the new nft_flow_offload module produces a link error: net/netfilter/nft_flow_offload.o: In function `nft_flow_offload_iterate_cleanup': nft_flow_offload.c:(.text+0xb0): undefined reference to `nf_flow_table_iterate'

[PATCH 20/32] netfilter: nf_defrag: mark xt_table structures 'const' again

From: Arnd Bergmann As a side-effect of adding the module option, we now get a section mismatch warning: WARNING: net/ipv4/netfilter/iptable_raw.o(.data+0x1c): Section mismatch in reference from the variable packet_raw to the function .init.text:iptable_raw_table_init() The

[PATCH 18/32] netfilter: x_tables: don't return garbage pointer on modprobe failure

From: Florian Westphal request_module may return a positive error result from modprobe, if we cast this to ERR_PTR this returns a garbage result (it passes IS_ERR checks). Fix it by ignoring modprobe return values entirely, just retry the table lookup instead. Reported-by:

[PATCH 21/32] netfilter: nf_defrag: move NF_CONNTRACK bits into #ifdef

From: Arnd Bergmann We cannot access the skb->_nfct field when CONFIG_NF_CONNTRACK is disabled: net/ipv4/netfilter/nf_defrag_ipv4.c: In function 'ipv4_conntrack_defrag': net/ipv4/netfilter/nf_defrag_ipv4.c:83:9: error: 'struct sk_buff' has no member named '_nfct'

[PATCH 24/32] netfilter: nf_nat_snmp_basic: replace ctinfo with dir.

From: Taehee Yoo The snmp_translate() receives ctinfo data to get dir value only. because of caller already has dir value, we just replace ctinfo with dir. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso ---

[nf-next:master 27/32] net/netfilter/nf_tables_api.c:4331:19: sparse: symbol 'nf_tables_obj_lookup_byhandle' was not declared. Should it be static?

tree: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master head: e55311665286ab2744295575948c2b08dc001bf3 commit: 3ecbfd65f50e5ff9c538c1bfa3356ef52cc66586 [27/32] netfilter: nf_tables: allocate handle and delete objects via handle reproduce: # apt-get install

[RFC PATCH nf-next] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static

Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle") Signed-off-by: Fengguang Wu --- nf_tables_api.c |8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/net/netfilter/nf_tables_api.c

Error: interval overlaps with previous one (with previously valid configuration)

With a previously valid configuration, which "includes" files into the main configuration, I get error messages with the HEAD of master on January 16, 2018 9afd72a883e391e366a1d75bb4e1705357e078e9 systemd[1]: Starting nftables... apu.allycomm.com nft[31431]: In file included from

Re: [PATCH v2] extensions: libxt_hashlimit: Do not print default timeout and burst

On Fri, Jan 19, 2018 at 03:27:57AM +0100, Pablo Neira Ayuso wrote: > On Fri, Jan 19, 2018 at 12:48:15PM +1100, Duncan Roe wrote: > > On Tue, Jan 16, 2018 at 11:39:30PM +0100, Pablo Neira Ayuso wrote: > > > On Wed, Jan 17, 2018 at 08:52:17AM +1100, Duncan Roe wrote: > > > > On Wed, Jan 17, 2018 at